5333 private links
SIKE Broken
SIKE is one of the new algorithms that NIST recently added to the post-quantum cryptography competition.
It was just broken, really badly.
We present an efficient key recovery attack on the Supersingular Isogeny Diffie-Hellman protocol (SIDH), based on a “glue-and-split” theorem due to Kani. Our attack exploits the existence of a small non-scalar endomorphism on the starting curve, and it also relies on the auxiliary torsion point information that Alice and Bob share during the protocol. Our Magma implementation breaks the instantiation SIKEp434, which aims at security level 1 of the Post-Quantum Cryptography standardization process currently ran by NIST, in about one hour on a single core.
Clive Robinson • August 4, 2022 10:27 AM
@ Peter Galbavy, ALL,
“while I haven’t the first clue about the underlying math it read to me like someone who’s installed an amazingly fancy and highly secure”
The fundamental protocol for SIKE is “Supersingular Isogeny Diffie-Hellman”(SIDH). Which is a tads difficult to fully explain even by mathmaticians…
The problem is that even mathmaticians can be unaware of the more referified parts of their art…
So it turns out it was not “secure”, and it had been known by some mathmetitians how to attack it since the late 1990’s…
Which is kind of a decade or two and some before anyone decided to use SIKE as a one way function for crypto. Which kind of makes it realy “face palm” embarrassing… //
Clive Robinson • August 4, 2022 5:09 PM
@ SpaceLifeForm, ALL,
Re : Move to ECC with a SafeCurve.
Err the maths behind this attack on SIKE is also being looked at for breaking ECC (read ARS article for more details).
So far the search for an ECC attack of use is “ongoing”. This attack on SIKE is almost certainly going to renew attempts to break ECC. Doing so would give the successful person(s) a “Golden Ticket” C.V.[1]
Let’s put it this way I suspect ECC now has a very short shelf life… Maybe half a decade at most life left would be my advice to the cautious. So looking for a replacment should begin right away.
It could be a heck of a sight less, as there is a chance a successful attack may already have been discovered but not yet recognised. So it might come fast very fast.
Hency my earlier comments about thinking on how to replace the curent asymetric “Key Exchange” and “Signing” systems.
Because if we loose them before we replace them to a non QC algorithm then it’s going to be brutal very fast…
Think no secure online,
1, Banking / Finance.
2, Online Shoping/Commerce.
3, Software Patching.
4, Secure Communications.
5, Privacy.
You might remember I’ve been talking off and on about replacing privacy wrecking CA heirarchics for years, as well as private/secure “Rendezvous Protocols”. Because it’s been kind of obvious that Asymetric Crypto has a serious flaw in the “Secure Trap Door” assumption that was always weak. Worse the statments of David Deutsch[2] in the mid 1980’s about “Quantum Computing”(QC) and his proof that it was going to be significantly improved compared to “Clasical Computing”(CC) was a large “Red Flag”…
Even our host @Bruce Schneier some time ago (around AES comp time ending) made the point we realy needed to stop playing with crypto algorithms and get on with the far harder task of “Key Managment”(KeyMan). Which even today is mostly not done (seen by some as either impossible or a career killer).
The best we have for Private/Secure key transfer in emergancies is the provably secure yet both fragile and awkward to scale “One Time Pad”.
Every system so far thought up that does not use asymetric crypto, needs a “Secure Side Channel” to at the very minimum set up a “Root of Trust”.
A Two-Party “Root of Trust” transfer without OWF’s with Secure Trap Door functions is currently assumed not to scale[3]. The alternative three or more party systems are provably not secure under the usuall assumptions (it’s why we spend time talking about “End To End Encryption”(E2EE)).
[1] As some know the sort of mathamatician who is most likely to do this is of PhD Research age, so upto middle to late 30’s. So a “Golden Ticket” is their most likely route to “secure academic employment” for the rest of their life.
[2] Basic bio of David Deutsch,
https://quantumzeitgeist.com/david-deutsch-the-father-of-quantum-computing-but-who-is-he/
[3] I’m of a different opinion, think of three impartial entities, that randomly select some “Number Used Once”[nonce] and send them to the two parties that wish to communicate. The two parties then use those points as being on the circumference of a circle and use the radius or center they calculate as a symetrical key. This system shows it is possible to have a system where none of the impartial third parties can know what the key is. But also that the scaling problem can be significantly reduced, to the point where OTP can be used by individuals to the impartial third parties.